fix(docker): set nemoclaw-start permissions to 755 for sandbox readability (fixes #622)

[craigamcw]

The nemoclaw-start script had 0711 permissions after chmod +x in the Dockerfile. The sandbox user (uid=999) could execute but not read the file, causing bash to fail with "Permission denied" (exit 126) since bash needs read access to interpret scripts.

Summary

Fix nemoclaw-start script permissions from 0711 to 0755 so the sandbox user can read and execute it. Bash needs read access to interpret scripts; execute-only causes "Permission denied" (exit 126).

Related Issue

Fixes #622

Changes

• Change chmod +x to chmod 755 for /usr/local/bin/nemoclaw-start in Dockerfile.

Type of Change

• Code change for a new feature, bug fix, or refactor.
• Code change with doc updates.
• Doc only. Prose changes without code sample modifications.
• Doc only. Includes code sample changes.

Testing

• make check passes.
• npm test passes.
• make docs builds without warnings. (for doc-only changes)

Checklist

General

• [X ] I have read and followed the contributing guide.
• [X ] I have read and followed the style guide. (for doc-only changes)

Code Changes

• [] make format applied (TypeScript and Python).
• [] Tests added or updated for new or changed behavior.
• No secrets, API keys, or credentials committed.
• Doc pages updated for any user-facing behavior changes (new commands, changed defaults, new features, bug fixes that contradict existing docs).

Doc Changes

• Follows the style guide. Try running the update-docs agent skill to draft changes while complying with the style guide. For example, prompt your agent with "/update-docs catch up the docs for the new changes I made in this PR."
• New pages include SPDX license header and frontmatter, if creating a new page.
• Cross-references and links verified.

Summary by CodeRabbit

• Chores
  • Updated build process to ensure consistent file permissions for the application startup script.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 33cafa9e-3d1a-40ef-8870-2b6bb01a6db6

📥 Commits

Reviewing files that changed from the base of the PR and between 04012f7 and 3412ef8.

📒 Files selected for processing (1)

• Dockerfile

---

📝 Walkthrough

Walkthrough

The Dockerfile permission command for /usr/local/bin/nemoclaw-start is updated from chmod +x to chmod 755, explicitly setting readable and executable permissions for all users. This resolves a permission denial issue where non-root users couldn't read the script despite having execute permissions.

Changes

Cohort / File(s)	Summary
Dockerfile Permission Fix Dockerfile	Changed chmod +x to chmod 755 for /usr/local/bin/nemoclaw-start to ensure all users can read and execute the script, resolving permission denied errors in sandbox execution.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

Poem

🐰 A script locked tight with bits of 711,
Could run but not read—permission undone!
Now 755 brings clarity bright,
All users can read, all users take flight.
Thank goodness permissions are finally right! 🏃‍♂️✨

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and specifically describes the main change: updating Docker permissions for nemoclaw-start from +x to 755, addressing sandbox readability.
Linked Issues check	✅ Passed	The PR fully implements the fix specified in #622: changing chmod +x to chmod 755 in Dockerfile, enabling the sandbox user to read the nemoclaw-start script.
Out of Scope Changes check	✅ Passed	All changes are directly related to fixing issue #622; only the Dockerfile chmod instruction was modified with no extraneous alterations.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}